Detailed Transition Period
ISO/IEC 27001:2022 Change Analysis
Changes within the body of the ISO/IEC 27001 standard have been made to better align with the harmonized structure for management system standards (i.e. Annex SL).
Of note, changes have been made in the following requirements:
- 4.2 Understanding the needs and expectations of interested parties
- 4.4 Information security management system
- 6.2 Information security objectives and planning to achieve them
- 6.3 Planning of changes
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.3.2 Management review inputs
- The Annex A controls have been regrouped from 14 control objectives to 4 broad themes that include: Organizational, People, Physical, and Technological Controls
- The overall number of controls within Annex A stands at 93 controls compared to the 114 controls in the previous edition
- However, several previous controls have been consolidated into broader new controls; and 11 new controls have been added, including:
- Threat Intelligence
- Information Security for use of Cloud Services
- Physical Security Monitoring
- Configuration Management
- Information Deletion
- Data Masking
- Data Leakage Prevention
- Web Filtering
- Secure Coding
- Additionally, ISO/IEC 27002:2022 identifies 5 control attributes to variously categorize controls; attributes include:
- Control Type
- Information Security Properties
- Cybersecurity Concepts
- Operational Capabilities
- Security Domains
- ISO 27002:2022 also defines a purpose for each individual control to better explain the intent of each control
Preparing for your ISO/IEC 27001 Transition
Organizations must transition their Management System in accordance with the requirements to ISO/IEC 27001:2022 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements.
Of note, organizations must conduct an internal audit and management review of the new/changed requirements prior to the transition audit being conducted.
Organizations may have a transition gap assessment conducted by WECERT prior to their official transition audit.This could be conducted in conjunction with an earlier ISO/IEC 27001:2013 surveillance, or at any other stand-alone time prior to their transition audit.
ISO/IEC 27001 Transition Audit
- All organizations must have a Transition Audit to confirm the implementation of the revised standard. The Transition Audit may be conducted in conjunction with an existing audit, or may be a stand-alone audit.
- If the Transition Audit is conducted in conjunction with an existing surveillance (i.e. transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO/IEC 27001:2022.
- If a standalone audit is carried out for the transition audit, the duration be calculated on an individual organization basis.
Note: Specific audit durations for transition will depend on the actual situation of the organization including the organization’s size and the complexity of the ISMS.